Enable users to add WebAuthn credentials to their accounts

So far, this commit won't use them yet, but rather enables the management of WebAuthn credentials.

Author: MrSerth

Gemfile

@@ -54,6 +54,7 @@ gem 'telegraf'
 gem 'terser', require: false
 gem 'tubesock', github: 'openhpi/tubesock'
 gem 'turbolinks'
+gem 'webauthn'
 gem 'whenever', require: false
 gem 'zxcvbn-ruby', require: 'zxcvbn'
 

Gemfile.lock

@@ -87,6 +87,7 @@ GEM
     addressable (2.8.7)
       public_suffix (>= 2.0.2, < 7.0)
     amq-protocol (2.3.2)
+    android_key_attestation (0.3.0)
     ast (2.4.2)
     base64 (0.2.0)
     bcrypt (3.1.20)
@@ -96,6 +97,7 @@ GEM
       rack (>= 0.9.0)
       rouge (>= 1.0.0)
     bigdecimal (3.1.8)
+    bindata (2.5.0)
     bindex (0.8.1)
     binding_of_caller (1.0.1)
       debug_inspector (>= 1.2.0)
@@ -126,13 +128,17 @@ GEM
       image_processing (~> 1.1)
       marcel (~> 1.0.0)
       ssrf_filter (~> 1.0)
+    cbor (0.5.9.8)
     charlock_holmes (0.7.9)
     childprocess (5.1.0)
       logger (~> 1.5)
     chronic (0.10.2)
     coderay (1.1.3)
     concurrent-ruby (1.3.4)
     connection_pool (2.4.1)
+    cose (1.3.1)
+      cbor (~> 0.5.9)
+      openssl-signature_algorithm (~> 1.0)
     crack (1.0.0)
       bigdecimal
       rexml
@@ -307,6 +313,9 @@ GEM
       rack (>= 1.2, < 4)
       snaky_hash (~> 2.0)
       version_gem (~> 1.1)
+    openssl (3.2.0)
+    openssl-signature_algorithm (1.3.0)
+      openssl (> 2.0)
     package_json (0.1.0)
     parallel (1.26.3)
     parser (3.3.6.0)
@@ -470,6 +479,8 @@ GEM
     rubytree (2.1.0)
       json (~> 2.0, > 2.3.1)
     rubyzip (2.3.2)
+    safety_net_attestation (0.4.0)
+      jwt (~> 2.0)
     sassc (2.4.0)
       ffi (~> 1.9)
     sassc-rails (2.1.2)
@@ -561,6 +572,10 @@ GEM
     thor (1.3.2)
     tilt (2.4.0)
     timeout (0.4.2)
+    tpm-key_attestation (0.12.1)
+      bindata (~> 2.4)
+      openssl (> 2.0)
+      openssl-signature_algorithm (~> 1.0)
     turbo-rails (2.0.11)
       actionpack (>= 6.0.0)
       railties (>= 6.0.0)
@@ -578,6 +593,14 @@ GEM
       activemodel (>= 6.0.0)
       bindex (>= 0.4.0)
       railties (>= 6.0.0)
+    webauthn (3.2.2)
+      android_key_attestation (~> 0.3.0)
+      bindata (~> 2.4)
+      cbor (~> 0.5.9)
+      cose (~> 1.1)
+      openssl (>= 2.2)
+      safety_net_attestation (~> 0.4.0)
+      tpm-key_attestation (~> 0.12.0)
     webmock (3.24.0)
       addressable (>= 2.8.0)
       crack (>= 0.3.2)
@@ -681,6 +704,7 @@ DEPENDENCIES
   tubesock!
   turbolinks
   web-console
+  webauthn
   webmock
   whenever
   zxcvbn-ruby

app/controllers/webauthn_credentials_controller.rb

@@ -0,0 +1,130 @@
+# frozen_string_literal: true
+
+class WebauthnCredentialsController < ApplicationController
+  include CommonBehavior
+
+  before_action :set_user_and_authorize
+  before_action :set_webauthn_credential, only: MEMBER_ACTIONS
+
+  def show; end
+
+  def new
+    @webauthn_credential = WebauthnCredential.new(user: @user)
+    authorize @webauthn_credential
+
+    @webauthn_create_options = personalized_options
+    session[:current_challenge] = @webauthn_create_options.challenge
+  end
+
+  def edit; end
+
+  def create
+    @webauthn_credential = @user.webauthn_credentials.build(
+      label: webauthn_credential_params[:label]
+    )
+
+    authorize!
+
+    raise WebAuthn::Error.new(t('.missing_challenge')) unless session[:current_challenge]
+    raise WebAuthn::Error.new(t('.invalid_param')) unless credential_param.is_a?(Hash) && credential_param.key?('rawId')
+
+    credential = WebAuthn::Credential.from_create(credential_param)
+    credential.verify(session[:current_challenge], user_presence: true, user_verification: true)
+
+    @webauthn_credential.assign_attributes(
+      external_id: credential.id,
+      public_key: credential.public_key,
+      sign_count: credential.sign_count,
+      transports: credential.response.transports
+    )
+
+    # In case something goes wrong, we want to show the user the same options again.
+    @webauthn_create_options = personalized_options
+    session[:current_challenge] = @webauthn_create_options.challenge
+
+    create_and_respond(object: @webauthn_credential, path: -> { @webauthn_credential.user }) do
+      session.delete(:current_challenge)
+      # Don't return a specific value from this block, so that the default is used.
+      nil
+    end
+  rescue JSON::ParserError, WebAuthn::Error => e
+    flash.now[:danger] = ERB::Util.html_escape e.message
+    respond_to do |format|
+      @webauthn_create_options = personalized_options
+      session[:current_challenge] = @webauthn_create_options.challenge
+
+      respond_with_invalid_object(format, template: :new)
+    end
+  end
+
+  def update
+    update_and_respond(object: @webauthn_credential, params: {label: webauthn_credential_params[:label]}, path: [@webauthn_credential.user, @webauthn_credential])
+  end
+
+  def destroy
+    destroy_and_respond(object: @webauthn_credential, path: @webauthn_credential.user)
+  end
+
+  private
+
+  def personalized_options
+    @user.with_lock do
+      if @user.webauthn_user_id.blank?
+        @user.validate_password = false if @user.respond_to?(:validate_password=)
+        @user.update!(webauthn_user_id: WebAuthn.generate_user_id)
+      end
+    end
+
+    WebAuthn::Credential.options_for_create(
+      user: {
+        id: @user.webauthn_user_id,
+        display_name: @user.displayname,
+        name: @user.webauthn_name,
+      },
+      exclude_credentials:,
+      authenticator_selection: {
+        user_verification: :required,
+      }
+    )
+  end
+
+  def exclude_credentials
+    @user.webauthn_credentials.map do |cred|
+      {id: cred.external_id, type: WebAuthn::TYPE_PUBLIC_KEY, transports: cred.transports}
+    end
+  end
+
+  def authorize!
+    raise Pundit::NotAuthorizedError if @webauthn_credential.present? && @user.present? && @webauthn_credential.user != @user
+
+    authorize(@webauthn_credential)
+  end
+
+  def set_user_and_authorize
+    if params[:external_user_id]
+      @user = ExternalUser.find(params[:external_user_id])
+    else
+      @user = InternalUser.find(params[:internal_user_id])
+    end
+    params[:user_id] = @user.id_with_type # for the breadcrumbs
+    authorize(@user, :update?)
+  end
+
+  def set_webauthn_credential
+    @webauthn_credential = WebauthnCredential.find(params[:id])
+    authorize!
+  end
+
+  def webauthn_credential_params
+    params.require(:webauthn_credential).permit(:credential, :label)
+  end
+
+  def credential_param
+    return @credential_param if defined? @credential_param
+
+    credential_param = webauthn_credential_params[:credential]
+    @credential_param = JSON.parse(credential_param.to_s)
+  rescue JSON::ParserError
+    @credential_param = {}
+  end
+end

app/javascript/webauthn.js

@@ -0,0 +1,50 @@
+import {
+  supported,
+  create,
+  parseCreationOptionsFromJSON,
+} from "@github/webauthn-json/browser-ponyfill";
+
+let form;
+let credentialMethod;
+
+function getPublicKey() {
+  return { publicKey: form.data('publicKey') }
+}
+
+async function createCredential(publicKey) {
+  const options = parseCreationOptionsFromJSON(publicKey);
+  return await create(options);
+}
+
+$(document).on('turbolinks:load', function() {
+  if ($.isController('webauthn_credentials')) {
+    form = $('form#new_webauthn_credential');
+    credentialMethod = createCredential;
+  }
+
+  if (!supported()) {
+    setTimeout(() => {
+      // In order to use `showPermanent`, we need to wait for the flash helper to finish initializing
+      $.flash.danger({
+        text: I18n.t('webauthn_credentials.browser_not_supported'),
+        showPermanent: true,
+        icon: ['fa-solid', 'fa-exclamation-triangle']
+      });
+    }, 100);
+    form.find('input[type="submit"]').prop('disabled', true);
+    return;
+  }
+
+  form.on('submit', function(event) {
+    event.preventDefault();
+    const publicKey = getPublicKey();
+    credentialMethod(publicKey).then((credential) => {
+        form.find('input[name="webauthn_credential[credential]"]').val(JSON.stringify(credential));
+        this.submit();
+      }
+    ).catch((error) => {
+      form.find('input[type="submit"]').prop('disabled', false);
+      $.flash.danger({text: error});
+    })
+  });
+});

app/models/external_user.rb

@@ -7,4 +7,8 @@ class ExternalUser < User
   def displayname
     name.presence || "#{model_name.human} #{id}"
   end
+
+  def webauthn_name
+    "#{consumer.name}: #{displayname}"
+  end
 end

app/models/internal_user.rb

@@ -37,4 +37,8 @@ def password_strength
   def displayname
     name
   end
+
+  def webauthn_name
+    email
+  end
 end

app/models/user.rb

@@ -24,6 +24,7 @@ class User < Contributor
   has_many :events_synchronized_editor, class_name: 'Event::SynchronizedEditor'
   has_many :pair_programming_exercise_feedbacks
   has_many :pair_programming_waiting_users
+  has_many :webauthn_credentials, as: :user, dependent: :destroy
   has_one :codeharbor_link, dependent: :destroy
   accepts_nested_attributes_for :user_proxy_exercise_exercises
 

app/models/webauthn_credential.rb

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+
+class WebauthnCredential < ApplicationRecord
+  belongs_to :user, polymorphic: true
+
+  validates :external_id, :public_key, :label, :sign_count, presence: true
+  validates :external_id, uniqueness: true
+  validates :label, uniqueness: {scope: %i[user_id user_type]}
+  validates :sign_count, numericality: {only_integer: true, greater_than_or_equal_to: 0, less_than_or_equal_to: (2**32) - 1}
+
+  delegate :to_s, to: :label
+
+  def self.parent_resource
+    User
+  end
+end

app/policies/webauthn_credential_policy.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class WebauthnCredentialPolicy < ApplicationPolicy
+  %i[create? new?].each do |action|
+    define_method(action) { admin? || teacher? }
+  end
+
+  %i[destroy? edit? show? update?].each do |action|
+    define_method(action) { admin? || author? }
+  end
+
+  def index?
+    no_one
+  end
+
+  private
+
+  def author?
+    @record.user == @user
+  end
+end

app/views/external_users/show.html.slim

@@ -33,6 +33,7 @@ h1 = @user.displayname
 
 - if @user == current_user || current_user.admin?
   = row(label: 'codeharbor_link.profile_label', value: @user.codeharbor_link.nil? ? link_to(t('codeharbor_link.new'), polymorphic_path([@user, CodeharborLink], action: :new), class: 'btn btn-secondary') : link_to(t('codeharbor_link.edit'), polymorphic_path([@user, @user.codeharbor_link], action: :edit), class: 'btn btn-secondary'))
+  = render 'webauthn_credentials/list'
 
 h4.mt-4 = link_to(t('.exercise_statistics'), statistics_external_user_path(@user)) if policy(@user).statistics?